Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
Resource
win10v2004-20241007-en
General
-
Target
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
-
Size
2.6MB
-
MD5
fa99b3f3c6accb7de65c3bac44149590
-
SHA1
da03a7623eaf2b009f3f7301675852384fdac01b
-
SHA256
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299
-
SHA512
4ba7d1ae73e813e318d0f933a4c49650214dccce07a48b99be220919bcd9d868215d1a370ad769f2aa9941034a66e1a0522162f05c5d1beb1f5824b6f7c7d131
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe -
Executes dropped EXE 2 IoCs
pid Process 3336 locdevdob.exe 3100 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQU\\xoptisys.exe" c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT0\\dobxec.exe" c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe 3336 locdevdob.exe 3336 locdevdob.exe 3100 xoptisys.exe 3100 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3116 wrote to memory of 3336 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 87 PID 3116 wrote to memory of 3336 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 87 PID 3116 wrote to memory of 3336 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 87 PID 3116 wrote to memory of 3100 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 90 PID 3116 wrote to memory of 3100 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 90 PID 3116 wrote to memory of 3100 3116 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe"C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3336
-
-
C:\IntelprocQU\xoptisys.exeC:\IntelprocQU\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56f26e857617b98903d8ed3bf19d17298
SHA1f654e9a15f686d0a406d9f6d94c3f3c3baf13e7a
SHA2560837dd8460a0493948dac7de38e1c1a347552068448d31b4dcf7b867e0e7ea59
SHA51219d1cda7bae8ea5b58974abc6acac4f869c3aa94fc1aa29256ab503a8c291f10adc0ec5d081f1c8040f86f1f4f11dbc9d6a5bdfd3a0cbcd164b5e28b8e73abb3
-
Filesize
2.6MB
MD58def5ac95380a585c779833edfd24e26
SHA1438fecb34671a603222a25aa100bf5f2e425ba97
SHA25641da38ee5d1348f7448610c7b5fad753578d3ed084abc7771c111e4f62ccb61d
SHA5124fb8f25346c018ddd3e6b7a66c09f6bb2e99d60676eecfdd56c081b8036456f3c9f9e3912d6a7b3b692be24b8b7d42913163bad6eb09b268dd56f92fcf665674
-
Filesize
1.5MB
MD599f664cef21bf11cfb2444ea4ea591b3
SHA1adedae24e9abf604ec347df9b67caca443742111
SHA2566bdaf4a24d60fda99be9bf1fa552c56fe6615a8d008a7b349db25aa4793cd95a
SHA51239eaa74f5f614299b36da6305f16e145da98f94cc5d9f6242962abdcbfa52f5a1f73e1d105e36c84f55ea6ccb6bebb86cbacc147ad23eb3b0a798ee99cd81ef9
-
Filesize
206B
MD58359f7dfbb447609d29bae8ab8981745
SHA1a7a798bd23a3c976c3b61228f0807610a64f447c
SHA2563bc846958271fcb0496898b2c710e818a31630e1fc3bd6de34ae5f212905371a
SHA5121c162f7caee94c8a070beca9bb95b9c2b31f6589350601b9052bfcb9b8029a3c9cee23ab95593d692d5fabbf51786fc59424132da2c83997a2ade55d566fdb31
-
Filesize
174B
MD52709673bd08b72f4f47b12b4f3405b8a
SHA13bf67f7b7fd64fb31ad8fcf4ed23bf4f9da13f9c
SHA256f98e1c2ce745b2a7f645bc4ae033d830897e499af5856a46304bae3978678f52
SHA512b309ddeae2dfb41b70137d3bd6034d2bbd095bd365248009c966b4801e6208557fb82cd3d63a895778a932ba69f717a156ae06143e0e19459c5f3d2b5eb359e9
-
Filesize
2.6MB
MD53b989ecf26c50a46f4f7623d2624c59b
SHA1d1c5d41a4ad561e0a49c1b4863251dfab850f315
SHA25697349ec3c0400e31f0e03205f45b85f32d063173b083506ff492a4bbe2bc8415
SHA512f3c029f77b99785425b1135a957a0ecbb3419d2adba25c52b9af178d98ffe495c16fb774a30490c8b23d39af039576d7fc654b0d280cf77bc92fe5a779ad19c9